A new study by a US consumer nonprofit has found that five out of six home routers are inadequately updated for security flaws, leaving the devices, and indirectly their users, vulnerable to hacking.
Carried out by the American Consumer Institute (ACI), the study analyzed a sample of 186 SOHO (small office/home office) Wi-Fi routers from 14 different vendors with a presence on the US market.
ACI experts looked at the firmware version the routers were running and searched public vulnerabilities databases for known security flaws affecting each device's firmware.
"In total, there was a staggering number of 32,003 known vulnerabilities found in the sample," said ACI experts in the study published last week.
"Our analysis shows that of the 186 sampled routers, 155 (83 percent) were found to have vulnerabilities to potential cyberattacks, in the router firmware, with an average of 172 vulnerabilities per router, or 186 vulnerabilities per router for the identified 155 routers," ACI experts said.
Of the total 32,003 security flaws, more than a quarter were vulnerabilities that received the two highest severity ratings of "critical" and "high-risk" respectively.
"Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample," researchers said.
These are staggeringly large numbers.
ACI experts said the use of open-source libraries are one of the main reasons for the presence of security flaws in router firmware, as the firmware often inherits the vulnerabilities of its smaller components.
Furthermore, the lack of auto-update mechanisms keeps many of these devices in a vulnerable state, or until a user is reminded to update the firmware, usually after a major router hacking spree, such as the emergence of the Mirai and VPNFilter malware strains.
While some router vendors have started adding auto-update mechanisms to recent models, it will take years until these new versions replace older models, in which time, the older SOHO router models will continue to put users at risk, as well as all IoT devices connected to them.
"Keeping firmware patched for known online threats may be an expense for manufacturers, but not doing so leaves consumers to collectively bear the burden of potentially much higher costs from cybercrime," ACI experts said.